X509

X509 certificates are typically used to allow users to connect to the Spinnaker API. This is especially helpful if you want different groups within your organization to maintain different keys. You can re-use the same certificate as you used in the previous step but might want to maintain different certificates for groups within your organization.

In order to enable x509 certificates we’ll need to add an additional trust certificate to the keystore.

The configuration adds an additional port for x509 certificates. This is so you can terminate HTTPS to end-users of the UI on the ELB and continue using API on a different port with x509 client certificates.

We’ll need to create an additional key for the client/server to use for authentication. The example below is for self signed certificates:

Generate Certificate Authority

openssl genrsa -des3 -out ca.key 4096

Self-sign a certificate with the key that was created in the previous step

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Create a client key

openssl genrsa -des3 -out client.key 4096

Generate a new Certificate Signing Request (CSR) from the client key used in the previous step.

Enabling Sticky Sessions

Before you configure authentication you’ll need to enable sticky sessions for the external ELB for port 8084 (Gate). This operation must be done through the AWS console. For an infinite session leave the Experation Period blank.